Fixed admin level security problem.

Plus an user -> a user


git-svn-id: http://svn.automattic.com/wordpress/trunk@149 1a063a9b-81f0-0310-95a4-ce76da25c4cd
This commit is contained in:
mikelittle 2003-06-03 00:08:51 +00:00
parent 6362196c2b
commit 8b549dcb12
3 changed files with 10 additions and 10 deletions

View File

@ -127,7 +127,7 @@ switch($action) {
if ($user_level > 0) {
$postdata = get_postdata($post);
$authordata = get_userdata($postdata["Author_ID"]);
if ($user_level < $authordata[13])
if ($user_level < $authordata->user_level)
die ('You don&#8217;t have the right to edit <strong>'.$authordata[1].'</strong>&#8217;s posts.');
$content = $postdata['Content'];
@ -218,7 +218,7 @@ switch($action) {
$postdata=get_postdata($post) or die("Oops, no post with this ID. <a href=\"b2edit.php\">Go back</a> !");
$authordata = get_userdata($postdata["Author_ID"]);
if ($user_level < $authordata[13])
if ($user_level < $authordata->user_level)
die ("You don't have the right to delete <b>".$authordata[1]."</b>'s posts.");
$query = "DELETE FROM $tableposts WHERE ID=$post";

View File

@ -235,7 +235,7 @@ if ($i == "ASC")
<p>
<strong><?php the_time('Y/m/d @ H:i:s'); ?></strong> [ <a href="b2edit.php?p=<?php echo $id ?>&c=1"><?php comments_number('no comments', '1 comment', "% comments") ?></a>
<?php
if (($user_level > $authordata[13]) or ($user_login == $authordata[1])) {
if (($user_level > $authordata->user_level) or ($user_login == $authordata->user_login)) {
echo " - <a href='b2edit.php?action=edit&amp;post=$id";
if ($m)
echo "&m=$m";
@ -274,7 +274,7 @@ if ($i == "ASC")
<?php comment_text() ?>
<?php comment_date('Y/m/d') ?> @ <?php comment_time() ?>
<?php
if (($user_level > $authordata[13]) or ($user_login == $authordata[1])) {
if (($user_level > $authordata->user_level) or ($user_login == $authordata->user_login)) {
echo "[ <a href=\"b2edit.php?action=editcomment&amp;comment=".$commentdata->comment_ID."\">Edit</a>";
echo " - <a href=\"b2edit.php?action=deletecomment&amp;p=".$post->ID."&amp;comment=".$commentdata->comment_ID."\">Delete</a> ]";
}

View File

@ -33,10 +33,10 @@ case 'promote':
$prom = $HTTP_GET_VARS["prom"];
$user_data = get_userdata($id);
$usertopromote_level = $user_data[13];
$usertopromote_level = $user_data->user_level;
if ($user_level <= $usertopromote_level) {
die('Can&#8217;t change the level of an user whose level is higher than yours.');
die('Can&#8217;t change the level of a user whose level is higher than yours.');
}
if ('up' == $prom) {
@ -65,7 +65,7 @@ case 'delete':
$usertodelete_level = $user_data->user_level;
if ($user_level <= $usertodelete_level)
die('Can&#8217;t delete an user whose level is higher than yours.');
die('Can&#8217;t delete a user whose level is higher than yours.');
$sql = "DELETE FROM $tableusers WHERE ID = $id";
$result = $wpdb->query($sql) or die("Couldn&#8217;t delete user #$id.");
@ -83,7 +83,7 @@ default:
include ('b2header.php');
?>
<div class="wrap"><p>Click on an user&#8217;s login name to see his complete profile.<br />
<div class="wrap"><p>Click on a user&#8217;s login name to see his complete profile.<br />
To edit your profile, click on your login name.</p>
</div>
@ -191,8 +191,8 @@ default:
}
if ($user_level >= 3) { ?>
<div class="wrap">
<p>To delete an user, bring his level to zero, then click on the red X.<br />
<strong>Warning:</strong> deleting an user also deletes all posts made by this user.
<p>To delete a user, bring his level to zero, then click on the red X.<br />
<strong>Warning:</strong> deleting a user also deletes all posts made by this user.
</p>
</div>
<?php